QSnatch infections are the leading cause of malicious DNS traffic in Asia Pacific, according to latest findings by Akamai
- QSnatch infections are currently the largest botnet threat in enterprise environments.
- Attacks could result in the take down of servers, data theft, and disruption of services.
- Globally, about 12 percent of organizations have shown signs of a breach the past year.
Akamai Technologies, Inc. (NASDAQ: AKAM), the cloud company that powers and protects life online, today announced a new State of the Internet report that focuses on the threats to businesses and consumers in Asia Pacific caused by malicious Domain Name System (DNS) traffic.
Key findings from the Asia Pacific (APAC) report include:
- QSnatch becomes largest APAC botnet threat: QSnatch – malware that specifically targets QNAP, a type of network attached storage (NAS) device used for backups or file storage by businesses – was by far the largest botnet threat in enterprise environments in APAC in 2022. Almost 60 percent of affected devices in APAC were infected with QSnatch, making this region second only to North America in terms of devices with QSnatch infections globally.
- Rise of enterprise command and control traffic: Between 10 percent and 16 percent of organizations globally encounter command and control (C2) traffic in their network in any given quarter, indicating the possibility of an attack or breach in progress. In APAC, Akamai observed about 15 percent of affected devices reaching out to Initial Access Brokers (IABs) domains. These are cyber-criminal gangs who sell unauthorized access to breached networks to other cyber criminals, such as ransomware groups.
- APAC suffers highest home network threats globally: APAC recorded far higher consumer home network threats than any other global region. This region has twice the number of malicious flagged queries in the second half of 2022 compared to North America – the region with the second flagged queries. More than 350 million queries in APAC were found to be related to Pykspa, an info-stealing worm that spreads through Skype by sending malicious links to the affected users’ contacts.
Businesses increasingly threatened by DNS attacks
With most internet usage facilitated via DNS, it has become an important part of the attack infrastructure due to its ubiquity. Akamai observes nearly seven trillion DNS requests daily and classifies malicious DNS transactions into three main categories: malware, phishing, command, and control.
According to Akamai’s data, between 10 percent and 16 percent of organizations globally encounter command and control (C2) traffic in their network in any given quarter. The presence of C2 traffic indicates the possibility of an attack in progress, or a breach, and threats range from information stealing botnets to Initial Access Brokers (IABs) who sell unauthorized access to breached networks to other cyber criminals.
In APAC, 15 percent of affected devices have reached out to known IAB C2 domains – such as Emotet – who conduct the initial breach before selling access to ransomware groups like Lockbit and other cybercriminal groups. The region also saw ransomware variants like Revil and Lockbit move into the top five types of C2 threats affecting devices across all organizations.
Network-attached storage devices are ripe for exploitation as they are less likely to be patched and they hold troves of valuable data. Akamai data shows almost 60 percent of affected devices in APAC were infected with Qsnatch – an infostealer malware targeting NAS devices – in 2022, making this region second only to North America in terms of number of infections. With a large concentration of data centers situated in APAC, as well as the popularity of NAS devices in the small and medium enterprises segment, these factors most likely increased the number of infections overall.
“As Asia Pacific continues to accelerate its evolution as a global hub for economic and digital transformation, it is thus no surprise that attackers continue to explore any way to attack enterprises for financial gain. Akamai’s latest findings not only highlight the most prevalent attacks in each region, but also that multi-stage attacks have become a staple of the modern cyber landscape in our region. Threat Actors are finding increased success when they work together or when they can combine various tools in a single attack. A C2 infrastructure is pivotal in the success of these attacks as they can be used for communication as well as to facilitate downloading a payload and the next-stage malware to move the attack onward,” explained Reuben Koh, Director of Security Technology and Strategy, APJ at Akamai.
“It is crucial that organizations stay ahead of bad actors because of the detrimental impact that multi-stage attacks can have on their businesses. More than the immediate impacts of direct financial loss, and loss of customer confidence and trust, there is also the long-term costs to recover compromised infrastructure, such as legal, reimbursement and clean-up costs,” he continued.
Homeowners to be on high alert for DNS Attacks
While attackers often have their sights on enterprises because it presents a bigger payoff when they successfully breach their networks, home users are often an easier and quicker target as their networks are not as secure as a corporate environment. Attackers are seeking to abuse not only traditional devices like computers, but also mobile phones and Internet of Things devices.
According to Akamai’s data, APAC had the highest number of queries flagged in relation to the home network threats in the second half of 2022. The region had twice the number as compared to North America – the second most region with flagged queries.
In APAC, more than 350 million queries related to Pykspa were observed, a threat that spreads through Skype by sending malicious links to the affected users’ contacts. Its backdoor capabilities allow an attacker to connect to a remote system and execute arbitrary commands such as download files, terminate processes, and propagate through various means, including mapped drives and network shares.
Phishing campaigns are also actively targeting financial brands in APAC to lure in unsuspecting consumer phishing victims. Akamai’s research found that over 40% of all phishing campaigns were focused on financial services customers, resulting in close to 70% of all victims suffering from finance-related phishing scams and attacks. This clearly indicates that attacks against financial services and their customers were highly effective in 2022.
“Beyond the personal consequences that home users face of potentially losing all their data when their networks are compromised, there are far more insidious consequences if their devices become part of a massive botnet with attackers mobilizing zombie devices to perform cybercriminal activities without the user’s knowledge, like spamming and even launching DDoS attacks against organizations,” said Reuben Koh, Director of Security Technology and Strategy, APJ at Akamai.
“It is unsurprising that we are seeing the rise of such attacks in our region, with Asia Pacific accounting for over 1.2 billion people accessing mobile internet services today, and with IoT spending forecasted to reach $436 billion in 2026. The continuing increase in mobile and smart device use and adoption in the region is likely to foreshadow the increase in such attacks, which requires home users to be on high alert to avoid falling victim to cyberattacks,” he continued.
Advice to business and home users
Following analysis of the DNS landscape, Akamai shares the following guidance to business and home users:
– Remain proactive in ensuring optimal cyber hygiene practices for all your digital assets and users:
- Organizations should start by attaining visibility of all software and hardware assets and mapping out all critical vulnerabilities across every step of the organization’s data journey and the controls required to do so, such as DDoS protection, malware attacks and scrapping as well as lateral movement and exfiltration.
- Best practices include keeping all systems and software up to date, implementing Anti-Malware and Multi-factor Authentication and enforcing least privileged access for users and devices at all times. For larger organizations or those requiring more complex requirements, engage a specialist provider for help, but remain proactive in monitoring performance and for anomalous events concurrently.
– Foster good security practices from home:
- Home owners should take proactive steps in securing all their devices by ensuring software updates are done regularly, installing Anti-Malware software and by using WPA2 AES or WPA3 encryption for their home WIFI networks. They should also be on high alert for any potential suspicious websites, downloads and messages via email or text message.
Akamai powers and protects life online. Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. With the world’s most distributed compute platform — from cloud to edge — we make it easy for customers to develop and run applications, while we keep experiences closer to users and threats farther away. Learn more about Akamai’s security, compute, and delivery solutions at akamai.com and akamai.com/blog, or follow Akamai Technologies on Twitter and LinkedIn.